How to properly sanitize strings without $wpdb->prepare?

I can’t use $wpdb->prepare, since I want to be able to add variables
to my query string that look something like:

$var = "AND pm.meta_value="%$_POST["val']%'";

To get a literal % to pass through $wpdb->prepare just double it. You don’t need to be avoiding $wpdb->prepare.

Proof of concept:

var_dump($wpdb->prepare('SELECT * FROM {$wpdb->posts} WHERE post_title LIKE "%%%s%%"','Hello'));

A comment below suggests something a bit more complicated might be in order:

$var[] = 'post_title LIKE "%%%s%%"';
$var_data[] = 'Hello';
$var[] = 'post_name LIKE "%%%s%%"';
$var_data[] = 'Hi';
$var[] = 'post_date LIKE "%%%s%%"';
$var_data[] = 'Howdy';
var_dump($wpdb->prepare('SELECT * FROM {$wpdb->posts} WHERE post_title '.implode(' AND ',$var),$var_data));

Of course, in practice you would probably create $var and $var_data in some kind of loop such as:

foreach ($_POST as $k=>$v) {
  if ('abc' == $k) {
    $var[] = 'post_title LIKE "%%%s%%"';
    $var_data[] = $v; // should probably validate a bit
  } elseif(...) {
    // ...
  } else {
    // ...
  }
}

It is always possible to run prepare on each item as well:

$var[] = $wpdb->prepare('post_title LIKE "%%%s%%"','Hello');

But the method using the array strikes me as more elegant and only runs $wpdb->prepare once, for what that is worth.

Related Posts:

  1. Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
  2. MySQL Error: : ‘Access denied for user ‘root’@’localhost’
  3. What is the difference between “INNER JOIN” and “OUTER JOIN”?
  4. SQL WITH clause example [duplicate]
  5. The wait operation timed out. ASP
  6. Conversion failed when converting date and/or time from character string while inserting datetime
  7. how to fix oracle ORA-01722 invalid number error
  8. SQL query to select dates between two dates
  9. MySQL – Operand should contain 1 column(s)
  10. SQL SELECT WHERE field contains words
  11. MySQL Error: : ‘Access denied for user ‘root’@’localhost’
  12. NOT IN vs NOT EXISTS
  13. Must declare the scalar variable
  14. ORA-00979 not a group by expression
  15. MySQL query String contains
  16. How do I escape a single quote in SQL Server?
  17. T-SQL split string based on delimiter
  18. Finding duplicate values in a SQL table
  19. MySQL Cannot Add Foreign Key Constraint
  20. Oracle error : ORA-00905: Missing keyword
  21. mysql Foreign key constraint is incorrectly formed error
  22. Can a foreign key be NULL and/or duplicate?
  23. How do I do multiple CASE WHEN conditions using SQL Server 2008?
  24. How do composite indexes work?
  25. Difference between JOIN and INNER JOIN
  26. MySQL “WITH” clause
  27. What is the difference between JOIN and UNION?
  28. MySQL Multiple Joins in one query?
  29. Error Code: 2013. Lost connection to MySQL server during query
  30. “CASE” statement within “WHERE” clause in SQL Server 2008
  31. SQL join on multiple columns in same tables
  32. ORA-00972 identifier is too long alias column name
  33. What is the difference between Scope_Identity(), Identity(), @@Identity, and Ident_Current()?
  34. Sql query – getting rid of hard-coded values
  35. ORA-00918: column ambiguously defined in SELECT *
  36. Combining “LIKE” and “IN” for SQL Server
  37. How To Run A Github Repository?
  38. SQL Switch/Case in ‘where’ clause
  39. Oracle – ORA-01489: result of string concatenation is too long [duplicate]
  40. SQL Server WITH statement
  41. How to run a SQL query on an Excel table?
  42. Algebra Relational sql GROUP BY SORT BY ORDER BY
  43. SQL Server reports ‘Invalid column name’, but the column is present and the query works through management studio
  44. Oracle “Partition By” Keyword
  45. What is the equivalent of ‘describe table’ in SQL Server?
  46. Add a column with a default value to an existing table in SQL Server
  47. Remote table-Valued Function Calls are not allowed
  48. The backend version is not supported to design database diagrams or tables
  49. Determine ROW that caused “unexpected end of file” error in BULK INSERT?
  50. SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax — PHP — PDO [duplicate]
  51. Difference between View and table in sql
  52. Using group by on multiple columns
  53. Exclude a column using SELECT * [except columnA] FROM tableA?
  54. How do you force mysql LIKE to be case sensitive?
  55. What is the difference between a stored procedure and a view?
  56. Why is SQL server throwing this error: Cannot insert the value NULL into column ‘id’?
  57. pg_ctl: no database directory specified and environment variable PGDATA unset
  58. ERROR 1148: The used command is not allowed with this MySQL version
  59. Bulk load data conversion error (truncation)
  60. How to order by with union in SQL?
  61. Difference between INNER JOIN and LEFT SEMI JOIN
  62. SQL conditional SELECT
  63. ‘CREATE PROCEDURE’ must be the only statement in the batch (Erro)
  64. PostgreSQL create table if not exists
  65. PostgreSQL visual interface similar to phpMyAdmin?
  66. Solutions for INSERT OR UPDATE on SQL Server
  67. GROUP BY and COUNT using ActiveRecord
  68. MySQL – Get row number on select
  69. MySQL error: Unknown column in ‘where clause’
  70. What is the difference between Views and Materialized Views in Oracle?
  71. How to truncate the text returned for a column in a MySQL query
  72. “select * into table” Will it work for inserting data into existing table
  73. ORA-01735: invalid ALTER TABLE option – Toad
  74. CASE IN statement with multiple values
  75. List of special characters for SQL LIKE clause
  76. Use wpdb->prepare for `order by` column name
  77. Moving database with phpMyAdmin
  78. How To Write An Inner Join With WP Query
  79. How do I escape a table name or column name in SQL? esc_sql doesn’t do this
  80. Update user_login, user_nicename, and display_name
  81. Change sticky status of posts from phpMyAdmin
  82. Fetch all Posts where logged in user has commented
  83. Best Way to Merge a Dev and Live Site to Become a Staging Site?
  84. How to import a Typo3 database to a wordpress site?
  85. What does the $posts_join filter join to?
  86. Clean up very big and very dirty database
  87. How to delete ALL comments from certain category in WordPress database?
  88. How can I convert everything from category X to have post format Link
  89. Bulk delete WordPress Post and all metadata, etc using SQL query
  90. What steps do I need to take to install a local copy of a live website?
  91. Reset post IDs with all post meta
  92. How to Add or Change Post Title
  93. Why does DROP TABLE-ing the `wp_options` reset my user session?
  94. How to refactor DB queries for better TTFB in WordPress?
  95. query sql-table and change entities
  96. Duplicate WP Migration affecting site on separate domain?
  97. Analog category_and (WP) in sql query
  98. Backtick (MySQL norm) added to SQL Server Query causing error
  99. SQL query to check whether a meta key is set or not for a post in post_meta table
  100. Firebase with WordPress instead of SQL?

Leave a Comment